Award-winning news, views, and insight from the ESET security community

Massive New Koobface Campaign

Our colleagues in ESET Latin-America have reported that a huge new malware distribution campaign is being carried out through the popular social network Facebook. In this instance, it is our old friend the Koobface worm that is being propagated. (For more about Koobface see Randy's post here, and for more about this particular iteration, see

Our colleagues in ESET Latin-America have reported that a huge new malware distribution campaign is being carried out through the popular social network Facebook. In this instance, it is our old friend the Koobface worm that is being propagated. (For more about Koobface see Randy's post here, and for more about this particular iteration, see

Our colleagues in ESET Latin-America have reported that a huge new malware distribution campaign is being carried out through the popular social network Facebook. In this instance, it is our old friend the Koobface worm that is being propagated. (For more about Koobface see Randy's post here, and for more about this particular iteration, see the update here.)

Many thanks to Cristian Borghello, Jorge Mieres and Sebastián Bortnik for all the information.
Any errors in translation or interpretation are mine!

In this particular campaign, the worm spreads across social networks by way of messages claiming to be about hidden cameras showing erotic encounters via an Internet connection. The message is sent from the infected machine to each of the owner's contacts and the link redirects to Web sites called “Video posted by … Hidden Camera …”. A pop-up at this site tells the user that he needs to download what is supposed to be a video codec, in order to look at the video.

As you can guess, the offered file isn't any sort of Flash codec, but the Koobface executable. If the user downloads and runs it, his system will become infected. The next screenshot shows how ESET Smart Security detects the attack when the intended victim tries to download the file.

A notable feature of this particular attack is that the malicious download only works the first time the victim accesses the site. Subsequent attempts generate what looks like a 404 error (Page Not Found). Attackers do this to hamper the work of security researchers, so that it becomes more difficult to analyse subsequent differing versions of the malicious code.

All the domain names seen to date are in the format http://[IP address]:[port]/[random numbers and letters]/. The screenshot shows one of these addresses:

hXXp:// [DELETED].169.144.218:167/62f469a63f1a/.

As of this time, the Laboratory in Latin America has found and analyzed over 100 IP addresses where users whose systems are already affected are responsible for the spread of this malware. It is very important to prevent infection, not only because of the risk to your own system but because of the risk to others. Don't trust any messages of this type that turn up in social network messaging services like Facebook. Be on the lookout for deceptive social engineering and keep your antivirus software properly updated.